At the end of last week, a new iOS malware dubbed XcodeGhost was identified by researchers. Unlike other iOS malware such as malicious profiles, in which an attacker lures a victim into installing something malicious on her or his device, XcodeGhost attackers actually lure developers into using a malicious development environment for iOS. As a consequence, attackers have ensured that many so-called “legitimate” apps have been developed using the XcodeGhost malicious repackaged tool and then successfully uploaded to the Apple App Store–approved by Apple for the general public’s iOS devices. Currently, Apple is removing or updating any known malicious apps from their App Store and have also issued an advisory to the developers.

Currently, Apple is removing or updating any known malicious apps from their App Store and have also issued an advisory to the developers.

However, we think it may be helpful to provide you with some security insights into this new breed of threat.

What Is XcodeGhost?

Xcode IDE is a development environment created by Apple. It is strongly pushed by Apple as the proper way to compile and test apps that should be running on Apple’s products such as iOS, OSX, WatchOS, and AppleTV. Every app developer is well aware of it.

Recently, researchers identified a repackaged version of Xcode that is similar to the original Xcode environment, however, in addition to its regular ability to compile source code into executable apps, the XcodeGhost environment also injects additional code that happens to be malicious into compiled apps. Because XcodeGhost does not affect developers’ source code, developers are mostly unaware of any malicious intent.

Eerily enough, the basis of XcodeGhost threats is very similar to the concepts presented by Adi Sharabani and Yair Amit from Skycure at the RSA ASIAPAC a couple of months ago. While Adi and Yair proposed that attackers generally repackage legitimate mobile apps, XcodeGhost attackers apply repackaging techniques to an earlier point in an app’s lifecycle, repackaging the IDE itself, which, in turn, inadvertently “repackages” the original legitimate app into a malicious app. This “sneak attack” method has managed to get many malicious apps uploaded to the Apple App Store by innocent developers. One other frightening feature of XcodeGhost sneak attacks: it only takes one victim (developer) to potentially impact hundreds, thousands or even millions of end users to download what they thought were legitimate apps onto their Apple devices.

The Impact of XcodeGhost Malware

It is important to note that XcodeGhost repackaged apps must still run under iOS sandboxing restrictions, and must still go through Apple’s screening process. Attackers trying to gain access to sensitive information on Apple devices can not simply use private APIs without restrictions: end users still needs to approve the actions.
Given that Apple’s safeguards are still applicable to XcodeGhost apps, attackers know that they can leverage the human factor to their advantage. Apple users tend to universally trust the apps approved by Apple for their App Store, and might hit “Accept” without much or any hesitation. For example, Apple users would likely not think twice about allowing an IM app that seems to be acting normally to access their contacts. Another approach might be to simulate a request of collecting credentials such as Apple ID or other Personally identifiable information (PII) and gain access to other resources.

List of Apps Infected by XcodeGhost

The researchers who found the threat provided a list of AppStore apps that were compiled with XcodeGhost. We have already seen some of these apps out there, but to be honest, the numbers are generally small. The following is the list of malicious apps that researchers have confirmed to be malicious. Most developers affected by this malware were in China, and thus, the list below consists of many apps targeting that region:

Remediation

As explained earlier, known malicious apps are being removed from the App Store by Apple, but one could be more proactive. With the Enterprise Edition of Skycure, one could detect a variety of threats including the XcodeGhost malware and apply relevant security and compliance policy to alert on, quarantine, or block infected devices.

In addition, we have put together a list of recommendations to allow end-users to be safe before a widespread security update is made available:

Update the individual apps listed above to the latest version as soon as an update becomes available

If no update is made available, it is highly recommended to delete the apps listed above from your mobile devices

Do not click on any dialogue boxes popping up on your phone unless and until you are sure about the action that caused them to appear

Change your Apple id password and any other passwords provided in case you have used any of these apps in the recent past

If you are using the same password elsewhere, please change that as well

If you need help with assessing whether your organization is at risk because of any mobile vulnerability, threat or attack, you can request a free trial of Skycure Enterprise Edition here.